mailman doesn't receive messages from sendmail on fresh F8 install

Daniel J Walsh dwalsh at redhat.com
Wed Feb 20 13:14:22 UTC 2008


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Edward Kuns wrote:
> On Tue, 2008-02-19 at 17:03 -0500, Daniel J Walsh wrote:
>> Check to see if the relabel worked without the module
>>
>> # semodule -r mymailman
>>
>> Now try it again.  This should work without AVC messages
> 
> Interestingly, this does work and doesn't work, but it fails at a later
> stage than it used to.  What does this mean?  The message appears to get
> delivered, but I also get an selinux complaint referring to the mail
> spool file:
>
Could mean that sendmail has an open file descriptor to a file in the
mqueue_spool and it leaked it to mailman.

I don't think mailman reads /var/spool/mqueue/dfm1K3MwNg031190 directly.
> Summary
>     SELinux is preventing /usr/lib/mailman/mail/mailman (mailman_mail_t)
> "read"
>     to /var/spool/mqueue/dfm1K3MwNg031190 (mqueue_spool_t).
> 
> Detailed Description
>     SELinux denied access requested by /usr/lib/mailman/mail/mailman. It
> is not
>     expected that this access is required
> by /usr/lib/mailman/mail/mailman and
>     this access may signal an intrusion attempt. It is also possible
> that the
>     specific version or configuration of the application is causing it
> to
>     require additional access.
> 
> Allowing Access
>     Sometimes labeling problems can cause SELinux denials.  You could
> try to
>     restore the default system file context for
>     /var/spool/mqueue/dfm1K3MwNg031190, restorecon -v
>     /var/spool/mqueue/dfm1K3MwNg031190 If this does not work, there is
> currently
>     no automatic way to allow this access. Instead,  you can generate a
> local
>     policy module to allow this access - see
> http://fedora.redhat.com/docs
>     /selinux-faq-fc5/#id2961385 Or you can disable SELinux protection
>     altogether. Disabling SELinux protection is not recommended. Please
> file a
>     http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
> package.
> 
> Additional Information        
> 
> Source Context                system_u:system_r:mailman_mail_t:s0
> Target Context                system_u:object_r:mqueue_spool_t:s0
> Target Objects                /var/spool/mqueue/dfm1K3MwNg031190
> [ file ]
> Affected RPM Packages         mailman-2.1.9-8.2.fc8 [application]
> Policy RPM                    selinux-policy-3.0.8-84.fc8
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   plugins.catchall_file
> Host Name                     kilroy.chi.il.us
> Platform                      Linux kilroy.chi.il.us 2.6.23.15-137.fc8
> #1 SMP
>                               Sun Feb 10 17:48:34 EST 2008 i686 i686
> Alert Count                   1
> First Seen                    Tue 19 Feb 2008 09:22:58 PM CST
> Last Seen                     Tue 19 Feb 2008 09:22:58 PM CST
> Local ID                      c52fd5cd-781f-4178-ae56-dd979cb54ab6
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> avc: denied { read } for comm=mailman dev=dm-2 egid=41 euid=8
> exe=/usr/lib/mailman/mail/mailman exit=0 fsgid=41 fsuid=8 gid=12 items=0
> path=/var/spool/mqueue/dfm1K3MwNg031190 pid=31193
> scontext=system_u:system_r:mailman_mail_t:s0 sgid=41
> subj=system_u:system_r:mailman_mail_t:s0 suid=8 tclass=file
> tcontext=system_u:object_r:mqueue_spool_t:s0 tty=(none) uid=8
> 
> 
> 
> 
> Summary
>     SELinux is preventing /usr/lib/mailman/mail/mailman (mailman_mail_t)
> "read"
>     to /var/spool/mqueue/dfm1K3MwNg031190 (mqueue_spool_t).
> 
> Detailed Description
>     SELinux denied access requested by /usr/lib/mailman/mail/mailman. It
> is not
>     expected that this access is required
> by /usr/lib/mailman/mail/mailman and
>     this access may signal an intrusion attempt. It is also possible
> that the
>     specific version or configuration of the application is causing it
> to
>     require additional access.
> 
> Allowing Access
>     Sometimes labeling problems can cause SELinux denials.  You could
> try to
>     restore the default system file context for
>     /var/spool/mqueue/dfm1K3MwNg031190, restorecon -v
>     /var/spool/mqueue/dfm1K3MwNg031190 If this does not work, there is
> currently
>     no automatic way to allow this access. Instead,  you can generate a
> local
>     policy module to allow this access - see
> http://fedora.redhat.com/docs
>     /selinux-faq-fc5/#id2961385 Or you can disable SELinux protection
>     altogether. Disabling SELinux protection is not recommended. Please
> file a
>     http://bugzilla.redhat.com/bugzilla/enter_bug.cgi against this
> package.
> 
> Additional Information        
> 
> Source Context                system_u:system_r:mailman_mail_t:s0
> Target Context                system_u:object_r:mqueue_spool_t:s0
> Target Objects                /var/spool/mqueue/dfm1K3MwNg031190
> [ file ]
> Affected RPM Packages         mailman-2.1.9-8.2.fc8 [application]
> Policy RPM                    selinux-policy-3.0.8-84.fc8
> Selinux Enabled               True
> Policy Type                   targeted
> MLS Enabled                   True
> Enforcing Mode                Enforcing
> Plugin Name                   plugins.catchall_file
> Host Name                     kilroy.chi.il.us
> Platform                      Linux kilroy.chi.il.us 2.6.23.15-137.fc8
> #1 SMP
>                               Sun Feb 10 17:48:34 EST 2008 i686 i686
> Alert Count                   1
> First Seen                    Tue 19 Feb 2008 09:22:58 PM CST
> Last Seen                     Tue 19 Feb 2008 09:22:58 PM CST
> Local ID                      c52fd5cd-781f-4178-ae56-dd979cb54ab6
> Line Numbers                  
> 
> Raw Audit Messages            
> 
> avc: denied { read } for comm=mailman dev=dm-2 egid=41 euid=8
> exe=/usr/lib/mailman/mail/mailman exit=0 fsgid=41 fsuid=8 gid=12 items=0
> path=/var/spool/mqueue/dfm1K3MwNg031190 pid=31193
> scontext=system_u:system_r:mailman_mail_t:s0 sgid=41
> subj=system_u:system_r:mailman_mail_t:s0 suid=8 tclass=file
> tcontext=system_u:object_r:mqueue_spool_t:s0 tty=(none) uid=8
> 
> 
> If I repeat the procedure from earlier, I get a longer mymailman.te file
> that contains the following:
> 
> 
> module mymailman2 1.0;
> 
> require {
> 	type sendmail_t;
> 	type mailman_mail_t;
> 	type mailman_log_t;
> 	type mailman_data_t;
> 	type mqueue_spool_t;
> 	class unix_stream_socket { read write };
> 	class dir { write remove_name search add_name };
> 	class file { write rename getattr read create append };
> }
> 
> #============= mailman_mail_t ==============
> allow mailman_mail_t mqueue_spool_t:file { read write };
> allow mailman_mail_t sendmail_t:unix_stream_socket { read write };
> 
> #============= sendmail_t ==============
> allow sendmail_t mailman_data_t:dir { write remove_name add_name };
> allow sendmail_t mailman_data_t:file { write rename getattr create };
> allow sendmail_t mailman_log_t:dir search;
> allow sendmail_t mailman_log_t:file { read getattr append };
> 
> It appears that I don't need all of these rules.  Looking at the two
> files, I see a *.pp file that appears to be a binary file and a *.te
> file that is human readable.  But I'm not sure how to create a policy
> file that's just the text file.
> 
> I also don't know why mailman wants access to the spool file, but with
> the above I get no complaints when I send mail to the list.  Without the
> above I still get a complaint, although the mail appears to get
> delivered OK.
> 
> 	Eddie
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAke8J60ACgkQrlYvE4MpobORRgCfVr249LQxcjRHyIPwHhmovUV3
cbwAoMIXtY35qkG8qNLzpP8bpYNjfIuI
=blTj
-----END PGP SIGNATURE-----




More information about the fedora-selinux-list mailing list